From: Dan Mick Date: Wed, 13 Mar 2024 19:33:50 +0000 (-0700) Subject: checkcerts.py: certificate errors were not noted X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=9f71b4b296298f2a8832dffc6257c4d0df327ee7;p=ceph-cm-ansible.git checkcerts.py: certificate errors were not noted When a certificate is already expired, its expiry was not noted (loop exited early). This stills doesn't explain the lack of early warning, but at least it'll fix the "no email on actual errors" issue. Signed-off-by: Dan Mick --- diff --git a/tools/checkcerts.py b/tools/checkcerts.py index e0d3efc..f195074 100755 --- a/tools/checkcerts.py +++ b/tools/checkcerts.py @@ -85,25 +85,29 @@ def main(): warned = False for domain in domains: + errstr = None + certerr = False warn = datetime.timedelta(days=DAYS_BEFORE_WARN) try: with socket.create_connection((domain, 443)) as sock: with context.wrap_socket(sock, server_hostname=domain) as ssock: cert = ssock.getpeercert() except (ssl.CertificateError, ssl.SSLError) as e: - print(f'{domain} cert error: {e}', file=sys.stderr) - continue - expire = datetime.datetime.strptime(cert['notAfter'], - '%b %d %H:%M:%S %Y %Z') - now = datetime.datetime.utcnow() - left = expire - now - - leftstr = f'{domain:30s} cert: {str(left).rsplit(".",1)[0]} left until it expires' + certerr = True + errstr = f'{domain} cert error: {e}' + + if not certerr: + expire = datetime.datetime.strptime(cert['notAfter'], + '%b %d %H:%M:%S %Y %Z') + now = datetime.datetime.utcnow() + left = expire - now + + errstr = f'{domain:30s} cert: {str(left).rsplit(".",1)[0]} left until it expires' if not args.quiet: - print(leftstr, file=sys.stderr) - if left < warn and args.email: - subject = f'{domain}\'s SSL Cert is expiring soon.' - body = leftstr + print(errstr, file=sys.stderr) + if (certerr or (left < warn)) and args.email: + subject = f'Certificate problem with {domain}' + body = errstr email = args.email if email == []: email = DEFAULT_EMAIL